<p>This rule is deprecated, and will eventually be removed.</p>
<p>Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2018-11639">CVE-2018-11639</a> </li>
  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2016-6537">CVE-2016-6537</a> </li>
</ul>
<p>Attackers can use widely-available tools to read cookies. Any sensitive information they may contain will be exposed.</p>
<p>This rule flags code that writes cookies.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> sensitive information is stored inside the cookie. </li>
</ul>
<p>You are at risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the
user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer
than the user session.</p>
<p>Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the
original information will be exposed.</p>
<p>Using cookies only for session IDs doesn’t make them secure. Follow <a
href="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#cookies">OWASP best practices</a> when you configure your
cookies.</p>
<p>As a side note, every information read from a cookie should be <a
href="https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet">Sanitized</a>.</p>
<h2>Sensitive Code Example</h2>
<pre>
// === Built-in NodeJS modules ===
const http = require('http');
const https = require('https');

http.createServer(function(req, res) {
  res.setHeader('Set-Cookie', ['type=ninja', 'lang=js']); // Sensitive
});
https.createServer(function(req, res) {
  res.setHeader('Set-Cookie', ['type=ninja', 'lang=js']); // Sensitive
});
</pre>
<pre>
// === ExpressJS ===
const express = require('express');
const app = express();
app.use(function(req, res, next) {
  res.cookie('name', 'John'); // Sensitive
});
</pre>
<pre>
// === In browser ===
// Set cookie
document.cookie = "name=John"; // Sensitive
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/312">CWE-312 - Cleartext Storage of Sensitive Information</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/315">CWE-315 - Cleartext Storage of Sensitive Information in a Cookie</a> </li>
  <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE">COOKIE_USAGE</a> </li>
</ul>
